Zero Knowledge Protocol

Similar documents
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Cryptographic protocols

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Zero-Knowledge Proof and Authentication Protocols

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Identification Schemes

Introduction to Modern Cryptography. Benny Chor

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Chapter 9 Public Key Cryptography. WANG YANG

Comparison of ZKP based Authentication Mechanisms for securing the web server

Zero-Knowledge Proofs of Knowledge

ZERO KNOWLEDGE PROOFS FOR EXACT COVER AND 0-1 KNAPSACK

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

l20 nov zero-knowledge proofs

Forward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications

Notes for Lecture 24

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

E-cash. Cryptography. Professor: Marius Zimand. e-cash. Benefits of cash: anonymous. difficult to copy. divisible (you can get change)

Lecture 10, Zero Knowledge Proofs, Secure Computation

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

CPSC 467b: Cryptography and Computer Security

Dawn Song

An Overview of Secure Multiparty Computation

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

ENEE 459-C Computer Security. Security protocols

Study Guide for the Final Exam

Digital Multi Signature Schemes Premalatha A Grandhi

Public Key Cryptography and the RSA Cryptosystem

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

CS549: Cryptography and Network Security

CS Computer Networks 1: Authentication

Secure Multiparty Computation

Anonymous Credentials: How to show credentials without compromising privacy. Melissa Chase Microsoft Research

Using Commutative Encryption to Share a Secret

Overview. Public Key Algorithms I

Lecture 5: Zero Knowledge for all of NP

ENEE 459-C Computer Security. Security protocols (continued)

CS 161 Computer Security

CS 494/594 Computer and Network Security

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Lecture 3 Algorithms with numbers (cont.)

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Public Key Algorithms

Strong Password Protocols

Real-time protocol. Chapter 16: Real-Time Communication Security

Activity Guide - Public Key Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Cryptographic proof of custody for incentivized file-sharing

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

More crypto and security

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Kurose & Ross, Chapters (5 th ed.)

Lecture 9: Zero-Knowledge Proofs

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

CRYPTOGRAPHY & DIGITAL SIGNATURE

Public-key encipherment concept

1. Diffie-Hellman Key Exchange

Step-out Ring Signatures

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

CSC 474/574 Information Systems Security

Zero-Knowledge Proofs. Zero-Knowledge Proofs. Slides from a Talk by Eric Postpischil

One-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Fair Exchange Protocols

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

A Tour of Classical and Modern Cryptography

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Computer Networks & Security 2016/2017

Session key establishment protocols

Physical Zero-Knowledge Proofs of Physical Properties

Public Key Algorithms

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Session key establishment protocols

CS 161 Computer Security

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

An Authorised Pseudonym System for Privacy Preserving Location Proof Architectures

Homomorphic encryption (whiteboard)

Authentication, Enhanced Security and Error Correcting Codes. (Extended Abstract) Yonatan Aumann t and Michael O. Rabin 2

Massachusetts Institute of Technology Handout : Network and Computer Security October 23, 2003 Professor Ronald L. Rivest.

Password. authentication through passwords

Solution to Problem Set 8

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Key Establishment and Authentication Protocols EECE 412

Cryptography III Want to make a billion dollars? Just factor this one number!

1 Identification protocols

Reminder: Homework 4. Due: Friday at the beginning of class

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Fair exchange and non-repudiation protocols

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

An Overview of Active Security in Garbled Circuits

Diffie-Hellman. Part 1 Cryptography 136

A Novel Identity-based Group Signature Scheme from Bilinear Maps

Transcription:

Akash Patel (SJSU)

Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information [1]. Lets say Alice and Bob want to communicate over shared network. Alice initiate the communication and sends secret to Bob. Bob verifies the secret so he can be certain that he is communicating with Alice. Once he verifies the secret,he sends conformation. In the above scenario, Bob must know Alice s secret so he can verify Alice s identity but now Bob can impersonate Alice. Zero knowledge protocol allow Alice to prove Bob that she knows the secret without revealing the secret. In this protocol,verification is performed for many executions and each time Alice need s to pass the verification.

Zero Knowledge Protocol [4] Zero knowledge protocol is 3 pass identification protocol. First message is Commitment or witness sent from Alice to Bob, a second message is challenge sent from Bob to Alice and a final message is response sent from Alice to Bob. Zero knowledge protocol must have three properties. 1. Completeness: If the statement is true, the honest verifier will be convinced by honest prover. 2. Soundness: If the statement is false, Trudy can not convince the verifier that it is true, except with some small probability. 3. Zero-knowledge: If the statement is true no cheating verifier learns anything other than this fact. Randomness is also an important property of Zero knowledge protocol. Randomness in the commitment and challenge message are use to hide the secret information.

Fiat-Shamir Protocol [4] Goal of protocol is to prove Alice knows secret s in n executions. This is probabilistic protocol with probability of 2 -n for adversary to fool the verifier. Usually the number of executions are around 20 to 40

How Fiat-Shamir Protocol works? [2] One time Set up: 1. In this protocol, Trusted center selects RSA like modulus N = p* q, where p and q are secret prime number and N is public. 2. Alice select secret S such that S is coprime to N and 1<=S<=N-1, computes V = S 2 mod N. S is private and V is public. Protocol: 1. Alice select random number r and sends x = r 2 mod N to Bob. 2. Bob sends either 0 or 1 to Alice. 3. Alice sends y = r * S e mod N to Bob. Verification: 1. Bob verifies it with y 2 = x * v e mod N.

Why randomness is necessary? [2] Bob might request Alice to perform the experiment as many times as she desires until she s certain of Alice s authority. Throughout the entire process, Bob will only need to work with the publicly known number x, e, & v and will learn nothing about the secret S. In ZK protocol, Random value is used by Alice during commitment phase and used by Bob during challenge phase. Lets say Bob does not use random value for e in second message. Bob uses fixed value either 0 or 1. Case 1: e = 0. Trudy send x = r2 mod N in the first message and y = r mod N in the third message so she followed the protocol and convince the Bob she knows the secret Case 2: e = 1. Trudy will send x = r 2 v -1 mod N in the first message and y = r mod N in the third message. Bob tries to calculate y 2 =r 2 and xv e = r 2 v -1 v = r 2 and Bob convince that Trudy knows the secret So it is necessary for Bob to chose random value for e. Trudy can only fool Bob with probability ½ and, as with Bob s Cave, after n iterations, the probability that Trudy can fool Bob is only ( 1/2 n ).

Why Alice needs to chose the random value? [2] Alice also needs to chose random value for r at each iteration. Suppose Alice uses same value for each iteration. Lets say Bob sends e = 0 and Alice sends r mod N in third message Now Bob sends e = 1, Alice sends r*s mode N Trudy records entire communication and she knows r mod N and r*s mod N It is very easy for Trudy to find the value of S from r mod N and r*s mod N So it is necessary for Alice to select random value for r at each iteration.

Does it really Zero Knowledge? [2] Let s say Bob wants to learn about Alice s secret. In V = S 2 mod N, V and N are public. Bob gets r 2 mod N in message 1. If e = 1 Bob receive: r*s mod N. If Bob can find r from r 2 mod N then he can find s from r*s mod N. We have assumed that finding a modular square root is computationally infeasible.

Is Zero Knowledge completely anonymous? Lets say Bob and Alice wants to communicate. Alice does not know Bob s public Key. Bob sends his certificate to Alice. Certificate can reveal Bob s identity. Trudy can determine Bob is part of any communication. It is difficult to maintain anonymity when public keys are used.

Pros and Con of Zero- knowledge [6] Pros: Secured Not requiring the revelation of one s secret. Simple Does not involve complex encryption methods. Cons: Limited Secret must be numerical, otherwise a translation is needed. Lengthy There are 2k computations, each computation requires a certain amount of running time. Imperfect The Malice can still intercept the transmission (i.e. messages to the Verifier or the prover might be modified or destroyed).

Web Authentication based on ZKP [5]

Web Authentication based on ZKP [5]

References 1. http://en.wikipedia.org/wiki/zero-knowledge_proof 2. Section 9.5 of Information Security Principles and practice by Dr. Mark Stamp,Published by JohnWiley & Sons, Inc 3. Technical Paper: How to Explain Zero-Knowledge Protocols to Your Children. Advances in Cryptology - CRYPTO '89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings 4. Technical Paper: Overview of Zero-Knowledge Protocols by Jeffrey Knapp. http://www.cs.rit.edu/~jjk8346/paper.pdf 5. Technical Paper: Implementing Zero-Knowledge Authentication with Zero Knowledge (ZKA_wzk) by Lum Jia Jun, Brandon. http://ojs.pythonpapers.org/index.php/tppm/article/view/155/142 6. Zero knowledge Protocol paper presentation by J. Chu http://jason.mchu.com/zkp.ppt

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback